Monitoring enterprise networks with endpoint agents

ABSTRACT

Techniques for monitoring enterprise networks with endpoint agents are disclosed. In some embodiments, a system, process, and/or computer program product for monitoring enterprise networks with endpoint agents includes deploying a plurality of endpoint agents to a plurality of endpoint devices; collecting test results from each of the plurality of endpoint agents, wherein the test results are based on tests executed on each of the plurality of endpoint devices for monitoring network activity; and generating a graphical visualization of an application delivery state for one or more application delivery layers based on the test results, generating an alert based on the test results, or generating a report based on the test results.

CROSS REFERENCE TO OTHER APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/813,537 entitled MONITORING ENTERPRISE NETWORKS WITH ENDPOINT AGENTSfiled Mar. 9, 2020, which is a continuation of U.S. patent applicationSer. No. 15/622,535, now U.S. Pat. No. 10,659,325, entitled MONITORINGENTERPRISE NETWORKS WITH ENDPOINT AGENTS filed Jun. 14, 2017, whichclaims priority to U.S. Provisional Patent Application No. 62/350,632entitled MONITORING ENTERPRISE NETWORKS WITH ENDPOINT AGENTS filed Jun.15, 2016, all of which are incorporated herein by reference for allpurposes.

BACKGROUND OF THE INVENTION

Web services can be used to provide communications betweenelectronic/computing devices over a network, such as the Internet. A website is an example of a type of web service. A web site is typically aset of related web pages that can be served from a web domain. A website can be hosted on a web server. A publicly accessible web site cangenerally be accessed via a network, such as the Internet. The publiclyaccessible collection of web sites is generally referred to as the WorldWide Web (WWW).

Cloud computing generally refers to the use of computing resources(e.g., hardware and software) that are delivered as a service over anetwork (e.g., typically, the Internet). Cloud computing includes usingremote services to provide a user's data, software, and computation.

Distributed applications can generally be delivered using cloudcomputing techniques. For example, distributed applications can beprovided using a cloud computing model, in which users are providedaccess to application software and databases over a network. The cloudproviders generally manage the infrastructure and platforms (e.g.,servers/appliances) on which the applications are executed. Varioustypes of distributed applications can be provided as a cloud service oras a Software as a Service (SaaS) over a network, such as the Internet.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the followingdetailed description and the accompanying drawings.

FIG. 1 is a network layer diagram illustrating that the data collectedfrom endpoints is segmented into different network layers in accordancewith some embodiments.

FIG. 2 is a graphical visualization of a network topology generatedusing endpoint agents in accordance with some embodiments.

FIG. 3 is an architecture of an endpoint agent for an end-user device inaccordance with some embodiments.

FIG. 4 illustrates an extended sample in accordance with someembodiments.

FIG. 5 is a graphical visualization that illustrates a path tracing fromendpoints in accordance with some embodiments.

FIG. 6 is an example network environment that shows example endpointagent deployments in accordance with some embodiments.

FIG. 7 is a graphical visualization that illustrates a high latencyproblem from an endpoint to a gateway via a wireless link that isidentified using the disclosed techniques in accordance with someembodiments.

FIG. 8 is a graphical visualization that illustrates a packet lossproblem from an endpoint to a gateway via a wireless link that isidentified using the disclosed techniques in accordance with someembodiments.

FIG. 9 is a graphical visualization that illustrates incompletecomponents on a web page problem that is identified using the disclosedtechniques in accordance with some embodiments.

FIG. 10 is a graphical visualization that illustrates a pathvisualization node grouping view in accordance with some embodiments.

FIG. 11 is a graphical visualization that illustrates a pathvisualization node pagination view in accordance with some embodiments.

FIG. 12 illustrates a functional block diagram of a platform forproviding enterprise network monitoring using endpoint agents inaccordance with some embodiments.

FIG. 13 illustrates a flow diagram for monitoring enterprise networkswith endpoint agents in accordance with some embodiments.

FIG. 14 illustrates another flow diagram for monitoring enterprisenetworks with endpoint agents in accordance with some embodiments.

FIG. 15 illustrates another flow diagram for monitoring enterprisenetworks with endpoint agents in accordance with some embodiments.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as aprocess; an apparatus; a system; a composition of matter; a computerprogram product embodied on a computer readable storage medium; and/or aprocessor, such as a processor configured to execute instructions storedon and/or provided by a memory coupled to the processor. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention. Unless stated otherwise, a component such as aprocessor or a memory described as being configured to perform a taskmay be implemented as a general component that is temporarily configuredto perform the task at a given time or a specific component that ismanufactured to perform the task. As used herein, the term ‘processor’refers to one or more devices, circuits, and/or processing coresconfigured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. The invention is described in connectionwith such embodiments, but the invention is not limited to anyembodiment. The scope of the invention is limited only by the claims andthe invention encompasses numerous alternatives, modifications andequivalents. Numerous specific details are set forth in the followingdescription in order to provide a thorough understanding of theinvention. These details are provided for the purpose of example and theinvention may be practiced according to the claims without some or allof these specific details. For the purpose of clarity, technicalmaterial that is known in the technical fields related to the inventionhas not been described in detail so that the invention is notunnecessarily obscured.

Distributed applications can generally be delivered using cloudcomputing techniques. For example, distributed applications can beprovided using a cloud computing model, in which users are providedaccess to application software and databases over a network. The cloudproviders generally manage the infrastructure and platforms (e.g.,servers/appliances) on which the applications are executed. Varioustypes of distributed applications can be provided as a cloud service oras a software as a service (SaaS) over a network, such as the Internet.As an example, a distributed application can be implemented as aSaaS-based web service available via a web site that can be accessed viathe Internet. As another example, a distributed application can beimplemented using a cloud provider to deliver a cloud-based service.

Users typically access cloud-based/web-based services (e.g., distributedapplications accessible via the Internet) through a web browser, alight-weight desktop, and/or a mobile application (e.g., mobile app)while the enterprise software and user's data are typically stored onservers at a remote location. For example, using cloud-based/web-basedservices can allow enterprises to get their applications up and runningfaster, with improved manageability and less maintenance, and can enableenterprise IT to more rapidly adjust resources to meet fluctuating andunpredictable business demand. Thus, using cloud-based/web-basedservices can allow a business to reduce Information Technology (IT)operational costs by outsourcing hardware and software maintenance andsupport to the cloud provider.

However, a significant drawback of cloud-based/web-based services (e.g.,distributed applications and SaaS-based solutions available as webservices via web sites and/or using other cloud-based implementations ofdistributed applications) is that troubleshooting performance problemscan be very challenging and time consuming. For example, determiningwhether performance problems are the result of the cloud-based/web-basedservice provider, the customer's own internal IT network (e.g., thecustomer's enterprise IT network), a user's client device, and/orintermediate network providers between the user's client device/internalIT network and the cloud-based/web-based service provider of adistributed application and/or web site can present significantchallenges.

What are needed are new and improved techniques to monitor, visualize,and troubleshoot the performance of cloud-based/web-based services(e.g., distributed applications and SaaS-based solutions available asweb services via web sites and/or using other cloud-basedimplementations of distributed applications).

Overview of Techniques for Monitoring Enterprise Networks with EndpointAgents

Accordingly, techniques for monitoring enterprise networks (e.g.,enterprise IT networks) with endpoint agents are disclosed.

In one embodiment, techniques for monitoring enterprise networks withendpoint agents are disclosed that can safely and securely collectinformation from end-user devices (e.g., client/user devices) withoutrequiring any extra configuration from the end user. As describedherein, an example implementation of the agent is referred to as anendpoint agent. In this example implementation, the endpoint agent canbe implemented as a software package that can be executed on end-userdevices (e.g., desktops, laptops, tablets, smart phones, and/or otherdevices) and monitors network activity associated with the useractivities (e.g., the user browser activity) to capture user experienceand infrastructure performance metrics as further described below.

In some embodiments, techniques for monitoring enterprise networks(e.g., enterprise IT networks) with endpoint agents are disclosed asfurther described below with respect to various embodiments. Forexample, an endpoint agent can generally refer to a functional component(e.g., software implemented as a software package executed onclient/user devices) that is configured to perform one or more of thedisclosed techniques. An endpoint can generally refer to the devicewhere the endpoint agent is installed and/or executed, in which theendpoint is a data source for monitored network activity (e.g.,monitored using the endpoint agent), as further described below. ANetwork Monitoring Service Provider (NMSP) cloud (e.g., provided by anetwork monitoring service provider, such as ThousandEyes, Inc. oranother commercial network monitoring service provider) can generallyrefer to the backend services supporting the endpoint agent(s), asfurther described below. A data subscriber (e.g., an NMSP cloudsubscriber) can generally refer to an account (e.g., a ThousandEyesaccount) that is entitled to receive data (e.g., monitored networkactivity data) from a set of endpoints, as further described below. Anendpoint owner can generally refer to the account (e.g., ThousandEyesaccount) to which the endpoint (e.g., endpoint device) belongs, asfurther described below. A current network can generally refer to thenetwork where the endpoint is connected to and using the Internet, asfurther described below.

In some embodiments, a data subscriber's configuration identifies one ormore networks that are owned by the data subscriber and/or one or morenetworks that are associated with the data subscriber (e.g., networks tobe monitored using the disclosed techniques for network monitoring withendpoint agents). For example, owned networks can generally refer tonetworks that are owned by data subscribers, as further described below.Monitored networks can generally refer to a range of IP addresses ofendpoints of interest to the data subscriber, as further describedbelow. Whitelisted domains can generally refer to domain names specifiedby the data subscriber, as further described below.

As further described below, these and various other features andtechniques are disclosed for monitoring enterprise networks withendpoint agents.

Deployment of Endpoint Agents

In one embodiment, an endpoint agent is deployed to an endpoint via aninstallation package. For example, an endpoint owner Alice can downloada customized installer, and when installed on an endpoint, this devicecan be associated with endpoint owner Alice. Configurations and updatescan be automatically downloaded from an NMSP Cloud (e.g., periodically,on demand, and/or as needed). In this example, after the installation ofthe endpoint agent on the endpoint, no configurations would need to beperformed by the end user.

Also, in some cases, installation of the endpoint agent on the endpointcan be automated (e.g., using Windows Group Policies and/or othercommercially available solutions for such automated installations ofsoftware packages on end-user devices). As a result, such an automatedinstallation would not require involvement by end users (e.g., providingfor an easy and seamless deployment and execution of the endpoint agenton the endpoints that is transparent to the end users).

In an example implementation, the customized installers are generatedon-demand by backend services. The build system creates a non-activatedpackage, and when requested by the endpoint owner, the package iscustomized with a globally unique account token and the package isactivated on the endpoint.

Endpoint Data Collection Using Endpoint Agents

In one embodiment, performance data collected from end-users isprocessed to determine how users are experiencing differentapplications, troubleshooting performance degradation, and establishingtrends and patterns across physically distributed points in the network.

FIG. 1 is a network layer diagram illustrating that the data collectedfrom endpoints is segmented into different network layers in accordancewith some embodiments. In one embodiment, the data collected fromendpoints is segmented into different layers as shown in FIG. 1.

For example, the data can be collected in the following ways: (1) usertriggered; (2) periodic network access and system data; and/or (3)scheduled tests, as further described below. User triggered datacollection can be triggered by user activity, such as triggered by useractivity in the browser executed on the endpoint, and can collect datafrom all layers below the dashed line, including a system layer 110, anetwork layer 120, and an application layer 130 as shown in FIG. 1.Periodic network access and system data can be used to collect periodicactive network measurements to network infrastructure and capture asystem resource snapshot of the endpoint. In an example implementation,scheduled tests can be used to perform active probing from endpoints topredefined targets by an endpoint owner, including, for example, an HTTPserver (e.g., a web server, such as a site associated with a cloudservice, distributed application, or other network/distributedservice/application), network and path trace, and/or other tests can beperformed to collect data/measurements relevant to/from all the layersbelow the dashed line as shown in FIG. 1.

In this example, the data collected includes a combination of passiveand active monitoring. In some cases, network access tests, systemtests, and scheduled tests are periodic whereas the user session data(e.g., web application metrics that include network metrics towards thevisited site, such as a web site) is triggered by user activity. Assuch, periodically collecting such data can provide a betterrepresentation of the local environment and a cleaner baseline to detectanomalies and compute trends associated with, for example, networkactivities and performance.

Technical Challenges to Collecting Data from Endpoints Using EndpointAgents

Data collection from end-user devices has several technical challenges,such as due to mobility of end-user devices, limited resources ofend-user devices, and privacy/security concerns for users/owners ofend-user devices. Because end-user devices can move, the disclosedsystem and techniques are provided to handle moving between networkswith different owners, technologies, set-ups, and/or other similarvariables for mobile devices when collecting data from deployed endpointagents. For example, assume that an end-user Bob is inside an enterpriseenvironment and data collection is being performed by the endpoint agentexecuted on Bob's endpoint that includes monitoring networkactivities/performance on the local IT network (e.g., enterprisenetwork). At the end of the day, Bob returns home and transitions to hisprivately owned network (e.g., home network). This example presentstechnical challenges for implementing the disclosed techniques usingendpoint agents, such as for the following questions. Should datacollection continue? Or should just a subset of the metrics becollected? If the data (or a subset of the data) is collected, whoshould be allowed access to this data? How to detect that the user ismoving between networks (e.g., from an enterprise network to a homenetwork or other networks)?

In some embodiments, to facilitate a solution to these technicalchallenges, the concept of a Data Collection Profile (DCP) is disclosed.In one embodiment, a DCP is provided that describes the domains thatshould trigger automatic recording (e.g., automatic data collectionusing the endpoint agent) when the user visits the domain in his/herbrowser; it defines if and how often periodic tests towards localnetwork resources should be performed and/or other policies/rules can beconfigured based on the DCP.

For example, the DCP can be associated with a set of networks defined bythe IP range of the public IP assigned to the end-user device. As such,the DCP can be used to facilitate defining different behavior as usersmove between various networks (e.g., from an enterprise network to ahome network and/or to other networks). As an example, when Bob is usinghis laptop on the enterprise network while at the office of hisemployer's company, in which the enterprise network is defined by apredetermined IP address range, the DCP can be configured such that theendpoint agent can monitor domain set A and perform gateway/wirelessperiodic network tests. However, when Bob is using his laptop outsidethe office (e.g., or in this example, using any other networks), thenthe DCP can be configured such that the endpoint agent can only gathersystem information associated with his laptop.

In one embodiment, an active DCP is determined by a check-in request tothe NMSP cloud that responds with the current DCP based on the public IPaddress of the check-in request. For example, this can include allinformation used to collect data until a network change is detected(e.g., the endpoint is associated with a different current network).

Network Identification

In one embodiment, techniques for correlation and network identificationusing a networkId are disclosed. In one embodiment, the networkId isspecified as follows:

networkId=hash(publicIpRange+localPrefix)

where publicIpRange is the public prefix of the public IP address of theendpoint device based on, for example, WHOIS data (e.g., a WHOISlookup), and localPrefix is the prefix of the local IP address of thedevice. The networkId facilitates correlating data within the samenetwork across devices as described herein.

Example: Network Identification

For example, for device A on network X, which has public IP address24.51.61.41 belonging to BGP prefix 24.51.61.0/24, and device A haslocal IP address 10.0.0.34 on a 255.255.255.0 subnet, the result in thenetworkId would be as shown below.

networkId=hash(24.51.61.0/24+10.0.0.0/24)

Verified Network Range

In an example implementation, an IT/network administrator can associatea DCP to any network range (e.g., in this example implementation,assuming that it is not verified by any other accounts at the NMSP). Anaccount (e.g., subscriber of the NMSP) can verify a network range,ensuring that no other account can collect performance or networkinformation from within the specific network.

For example, assume that an endpoint (with an installed endpoint agent)belonging to Alice visits the offices of the ACME Company. Also assumethat ACME Company has an endpoint agent that is configured to monitor onall networks. However, when a device of ACME Company, such as Alice'sdevice, enters BIGCO Company's network, the endpoint agent is disabledas BIGCO Company verified its network range (e.g., with the NMSP for theendpoint agent as described above). As such, only endpoint agentsassociated with BIGCO Company can collect data from within the verifiednetwork(s) associated with BIGCO Company.

In one embodiment, network validation of range R by company X can beperformed using various techniques. Example techniques for performingnetwork validation will now be described.

In one embodiment, network validation is performed using a WHOIS-basedconfirmation email. For example, range R can be looked up in WHOIS, andan email can then be sent to the email contact listed in the WHOISlook-up result. The email can include a unique validation token (e.g.,provided by the NMSP) and a link that the recipient of the email canclick on to validate ownership of range R. As such, once the recipientof the email clicks the link in the email, it validates ownership of therange R.

In one embodiment, network validation is performed using a DNS-basedvalidation. For example, a user can insert a TXT entry pegged to the PTRentry they own (e.g., if they want to validate 192.168.2.0/24, then theycan have a 192.168.2.verify_te TXT record with a unique validation tokenprovided by the NMSP).

In one embodiment, network validation is performed using a manualvalidation. For example, a request can be sent to the NMSP (e.g.,ThousandEyes) containing the IP range R that is to be validated and therequester.

Network Access Topology

In one embodiment, the endpoint agent performs periodic activemeasurements to access points, gateways, proxies, DNS servers, and VPNtermination servers. For example, by performing such active measurementsperiodically, the agents can discover the topology of the network accessand build a baseline of performance over time. In this example, eachagent discovers the local environment using active measurements andinformation collected directly from the endpoints, such as wirelessnetwork quality to the access point, network performance to thegateway/proxy, DNS response time, and VPN performance metrics.

In one embodiment, for collecting local network performance data, adynamic target list is deployed that is updated according to the useractivity. For example, the dynamic target list can define which proxiesand/or VPN servers should be targeted in the active network tests.

In an example implementation, a dynamic target list is a bounded listwith a time expiration on each entry. In this example, if a proxy or VPNis used by the user in the browser, then the target is added to the listwith the current timestamp (e.g., if only select traffic is routedthrough the VPN/proxy, and/or multiple VPNs/proxies exist dependent onthe destination, this can produce multiple VPN/proxy targets; if theuser never generated the specific traffic, the VPNs/proxies may not evenbe used). If the target already exists, then the timestamp is simplyupdated to the current time. If the list exceeds its maximum size, thenthe entry with the lowest timestamp is removed. The periodic networkprober then uses this list and performs network tests against entriesthat have not expired. By maintaining a list per network, thisfacilitates the endpoint agent to continuously/periodically performlocal network tests even when the user is moving between differentnetworks.

In addition to the dynamic target list based on user activity includingbrowsing activity, there are some targets that are independent ofbrowsing activity, such as the default gateway. For example, theendpoint agent can be periodically probing the default gateway andmeasuring the wireless properties if it connects to the default gatewaythrough a wireless interface.

FIG. 2 is a graphical visualization of a network topology generatedusing endpoint agents in accordance with some embodiments. As shown,endpoint agent groups 202, 204, and 206 can be utilized to facilitate avisualization of the access network for each of the agents over time, inthis case including access points 208, 210, and 212, and which gatewaysare being used as shown at 214 a-c, 216, and 218 (e.g., as well as apath(s) to VPN servers and proxies (not shown in this example in FIG.2)). Examples of metrics collected can include one or more of thefollowing listed metrics: transmission rate, wireless signal quality,gateway loss and latency, proxy loss and latency, and VPN server lossand latency.

Data Routing Workflow for Data Collected from Endpoint Agents

In one embodiment, a workflow for routing of collected data fromdeployed endpoint agents is performed as will now be described. Assumethat an endpoint agent owned by ACME Company is inside a network R.Example scenarios of routing of the collected data (e.g., endpoint agentcollected/aggregated data) are provided below.

If R is verified by BIGCO Company, then there is a conflict and thecollected data (e.g., collected by the endpoint agent) is discarded.

If ACME Company subscribes to R or monitor all networks is enabled, thenthe collected data (e.g., collected by the endpoint agent) is routed toACME Company.

If data subscriber C-CORP subscribes to data from ACME Company when in Rand is approved by ACME Company, then the collected data (e.g.,collected by the endpoint agent(a)) is routed to C-CORP.

If ACME Company does not subscribe to R, then the collected data (e.g.,collected by the endpoint agent) is discarded.

The data routing mechanisms described above can be used with differenttypes of end-user devices including mobile devices, laptops, desktops,tablets, and/or other end-user devices. It can also be applied forVirtual Desktop Infrastructure (VDI) environments, where users arebehind thin clients connected to a central/VDI server as furtherdescribed below.

Data Routing Workflow for Live Sharing for Data Collected from EndpointAgents

In one embodiment, a workflow for routing of collected data fromdeployed endpoint agents is performed to facilitate live sharing of thecollected data with one or more other entities as will now be described.Assume that an endpoint agent owned by ACME Company is inside a networkR. Example scenarios of routing of the collected data (e.g., endpointagent collected/aggregated data) to facilitate such live sharingtechniques are provided below.

If another entity C-CORP requests to access the collected data from ACMECompany and is approved by ACME Company (e.g., a pull request for livesharing, which may also include requesting that the entity/userauthenticates that they are authorized for sharing such collected dataas it is associated with their network domain and both entities/usersapprove of such live sharing), then the collected data (e.g., collectedby the endpoint agent) is routed to C-CORP.

If ACME Corporation desires to provide access to the collected data fromACME Company (e.g., a pull request for live sharing, which may alsoinclude requesting that the entity/user authenticates that they areauthorized for sharing such collected data as it is associated withtheir network domain and both entities/users approve of such livesharing), then the collected data (e.g., collected by the endpointagent) is routed to C-CORP.

For example, such live sharing techniques for sharing the collected datacan facilitate troubleshooting information to be shared by ACMECorporation with their Software as a Service (SaaS) provider (e.g.,Microsoft for Office365 or another service/provider).

Example Endpoint Agent Architecture

FIG. 3 is an architecture of an endpoint agent for an end-user device inaccordance with some embodiments. In one embodiment, an endpoint agent(e.g., software package installable on end-user devices) includesmultiple components installed and executed on an end-user device 302,which collaborate to collect and submit data to an NMSP cloud 320 asshown in FIG. 3.

Referring to FIG. 3, end-user device 302 is in network communicationwith NMSP cloud 320, such as via the Internet (not shown). The endpointagent can include multiple components, which can be executed atdifferent system layers (e.g., a system/kernel, a user space, and/or anapplication layer). In this embodiment, an agent DCP component 314executes in the system layer and includes/stores the DCP for endpoint302 received from NMSP cloud 320. Agent DCP is in communication withBrowser Helper Objects (BHO) 308 and 310, which can communicate withbrowser applications, such as a Google Chrome® browser 304 and aMicrosoft Internet Explorer® browser 306 as shown. For example, BHO 310can be configured to monitor user browser activity on the endpoint, andas similarly described above, network activity monitoring/tests can betriggered/performed based on the site accessed by the user using IEbrowser 306 and based on the DCP configuration for endpoint 302 asprovided via agent DCP 314 (e.g., based on the current network, networkdomain, and/or other DCP policies/rules as similarly described above).As also shown, a User Space Proxy (USP) component 312 executed in theuser space is provided and is in communication with agent DCP 314 (e.g.,the USP can be used for enterprise environments that have all HTTPtraffic routed through an authenticated HTTP proxy to access theInternet, such as further described below in the User Space Proxysection). As similarly described above, the endpoint agent can beconfigured to perform system monitoring/tests as well as networkmonitoring/tests using these various components executed on theendpoint. The system and network monitoring/tests data/results can becommunicated to NMSP cloud 320 (e.g., periodically, on demand, and/or asneeded).

In an example implementation, the endpoint agent includes a to-agentcomponent and a te-browserhelper component. These components can beinstalled automatically by the software installer package. In thisexample implementation, the to-agent component is responsible forperforming active network measurements, communication with the NMSPcloud, and performing periodic network/system measurements.

In this example implementation, the browser activity is gathered using ate-browserhelper component, which communicates with the browser viaJavaScript Object Notation (JSON) Remote Procedure Call (RPC) and uses ato-agent to perform network measurements. For the Google Chrome® webbrowser, a custom extension (EXT) is installed that gathers performancemetrics and streams the data to the browserhelper (BHO) (e.g., BHO 308)as it becomes available. For the Microsoft Internet Explorer® (IE) webbrowser, a Browser Helper Object (BHO) is installed that monitors webactivity and likewise streams the data to the browserhelper (e.g., BHO310). Additional helper components can be utilized to facilitateautomatic update and optional user interactions.

General Operation of Endpoint Agents and Interactions with NMSP Cloud

In one embodiment, the endpoint agent periodically checks in with theNMSP cloud, which includes its current network and system profile aswell as internal usage statistics. The NMSP cloud responds with a set ofconfigurations that determines what data should be collected from thecurrent network.

For example, response provided by the NMSP cloud can include a domainwhitelist (e.g., encoded using a Bloom filter). In the case of theendpoint agent, this whitelist can be consulted to determine if a givendomain should automatically be recorded. The check-in can be performedperiodically or when a network change is detected (e.g., or based onother configurations or events).

An example system architecture of a platform for providing the NMSPcloud is further described below with respect to FIG. 12.

Sample Data Collection from Endpoint Agents

In one embodiment, sample data is collected from the web browser and BHOworking together. As described above, the endpoint agents can beimplemented to support one or more commercially available web browsers,such as Google Chrome® and Microsoft Internet Explorer®. For GoogleChrome, a standard Chrome extension can be used that uses the“chrome.webRequest” and “chrome.debugger” APIs of Chrome to extracttiming and page information. For Internet Explorer, custom JavaScriptcan be injected into the page to extract the timing information.

Sample Types Including Extended Samples

In one embodiment, samples can be original or extended. A sample isoriginal if a new page object triggered that sample (e.g., the firstpage in a session or if the user has been inactive for a configurableperiod and then browses to a new page). An extended sample is a samplethat is triggered by a long running page that continuously generatesentries (e.g., a one page website that refreshes its data every 30seconds). After a configurable period of time, these periodic entrieswill trigger a new sample that is said to be extending the originalsample.

FIG. 4 illustrates an extended sample in accordance with someembodiments. Referring to FIG. 4, recording extended samples using theendpoint agent facilitates collecting network data for long runningsessions, such as a session 402. For example, some sessions may spanmultiple hours or another extended period of time (e.g., a user may keepa browser open for a given site, such as Facebook, Salesforce.com, oranother site/service for one or more days/weeks or another period ofextended time). As shown, recording extended samples can trigger samplesperiodically to augment the entries as they are collected (e.g., forpredetermined time intervals, such as every 5 minutes, 1 hour, or someother time interval).

RPC Protocol for Web Browsers

In an example implementation, the format is further designed tofacilitate separation of responsibility. The browser-based datacollection software (e.g., such as for Google Chrome and MicrosoftInternet Explorer as described above) can be configured to be aware ofSession, Page, and Entry objects. This makes the monitoring process moreefficient as no processing is needed in the browsers. The BHO componentcan manage the samples and when to create extended samples, how the datafor the sample is gathered, and/or other such operations.

A simple Remote Procedure Call (RPC) protocol exists for web browsers,as shown below.

StartSession( )→sessionidAddPage(sessionId, pageObj)AddEntry(sessionId, entryObj)UpdatePage(sessionId, pageUpdateObj)

EndSession(sessionId)

UpdatePage( ) is used to send updated information about a page if suchbecomes available (e.g., page title changed, updated page timings areavailable, etc.).

Sample Network Data

In this example, the sample object includes additional networkinformation captured during a session. Example additional networkinformation captured during a session can include one or more of thefollowing: host, protocol, and port of HTTP connection; positionalcoordinates (e.g., resolved using GPS, Wi-Fi location, or networklocation services); TCP connectivity test towards destination;loss/latency/jitter/traceroute to destination (ICMP);loss/latency/jitter to gateway (ICMP); loss/latency/jitter/traceroute toVPN (ICMP) if configured on the device; loss/latency/jitter/tracerouteto HTTP proxy (ICMP) if configured on the device; network configurationprofile of network interfaces including IP addresses, DNS servers,gateway, and potential next hop interfaces (in the case of VPNs);physical network information including wireless quality, bssid/ssid,channel, link speed, and/or similar physical network information; proxyconfiguration profile; and system information including CPU usage,network usage, memory, and disk.

Path Tracing from Endpoints

FIG. 5 is a graphical visualization that illustrates a path tracing fromendpoints in accordance with some embodiments. In one embodiment, usingsimilar techniques as described in co-pending U.S. Patent ApplicationPublication No. US20130311832 (Attorney Docket No. THOUP001) entitledCROSS-LAYER TROUBLESHOOTING OF APPLICATION DELIVERY filed Mar. 15, 2013,which is incorporated herein by reference for all purposes, the pathtaken from a multitude of endpoints towards applications used in thebrowser can be reconstructed. Referring to FIG. 5, the web app Github isactually being served from two different servers as shown at 502 and504.

In this example, a 1-hour time aggregation is used, in which the timeaggregation can be configured by the user (e.g., from 5 minutes to 1hour).

In an example implementation, known devices can be annotated in thepath, such as in this example the first hop is a VPN server as shown at506 in FIG. 5. This helps users to understand how their network is usedby different applications and which network elements are associated witheach user over time.

Endpoint Agent Communication with the NMSP Cloud

In an example implementation, communication with the backend/NMSP cloudis performed using HTTPS and JSON encoded body (e.g., or other (secure)protocols and encodings can be used). Gzip compression (e.g., or othercompression algorithms can be used) is applied to minimize data transferof the collected data over the network to prevent taking up too muchnetwork bandwidth when performing such communications between theendpoint agent and the NMSP cloud. Further, data entries can be batchedwhere a batch can be uploaded when either of the following conditions issatisfied: 1) batch size exceeds configurable threshold; or 2) batch hasnot been changed within the last predetermined period of time (e.g., Xseconds).

Security and Privacy for Data Collection by Endpoint Agents

As discussed above, collecting data from end-user devices sets highrequirements for privacy and security. As such, in an exampleimplementation, all communication with the NMSP cloud is performed overthe HTTPS or another secure protocol and authenticated. For example, theauthentication can be performed using a globally unique machineId andauthentication token generated by the endpoint agent itself. Also, toprotect end-user privacy, HTTP body content and cookies can be removedfrom the HTTP Archive (HAR) data before leaving the browser memory space(e.g., metadata is retained).

In addition, in this example implementation, the domain whitelistdownloaded during the check-in is encoded using a Bloom filter (e.g.,false positives can be filtered in the NMSP cloud during upload) toprevent a potential attacker from retrieving a list of NMSP customerswith verified domains.

User Space Proxy

In some enterprise environments, all HTTP traffic is routed through anauthenticated HTTP proxy to access the Internet. When the authenticationis based on the logged-in user, the system level account may not haveaccess to the HTTP proxy which prevents the te-agent executing as systemto connect to the NMSP cloud. To handle this case, in one embodiment, aUser Space Proxy (USP) is used which is a binary that executes in theuser space of the logged in users.

When one comes online, it contacts the endpoint agent and negotiatesthat it is able to proxy HTTP requests for the endpoint agent. In anexample implementation, when the endpoint agent is to access the backend(e.g., NMSP cloud), the following checks are performed: (1) can theagent connect to the NMSP cloud directly or (if configured) via anetwork proxy; and (2) can the agent connect to the NMSP cloud via oneof the USPs which will use the proxy and authentication configured onthe user. In this example implementation, the agent is configured toprefer the above-described option for the agent to connect to the NMSPcloud directly or (if configured) via a network proxy, if possible.Further requests can be routed as determined by the above steps withoutchecking the connectivity again. When the network state changes, thechecks can be performed again.

Process Monitoring Using Endpoint Agents

In one embodiment, endpoint agents are configured to also performprocess monitoring on endpoints. For example, endpoint agents can beconfigured to monitor for certain new processes (e.g., based on anassociation with a new socket open on the endpoint, which can be used tomonitor various network connections including for non-web applications,such as connections between thin clients and a VDI server based on aprocess executed on the thin client for attaching to the VDI server). Asanother example, endpoint agents can be configured to monitor a specifictype of process (e.g., a Skype process or another process), which can beperformed to facilitate additional network layer 4 testing usingendpoint agents. In addition, scheduled testing techniques as furtherdescribed below can also be applied to perform these process monitoringtechniques using endpoint agents.

Labels for Endpoint Agents

In one embodiment, endpoint agents are associated with labels (e.g.,configurable and/or dynamic tags, such as to identify agents based on acurrent network, geographical location, and/or other criteria/stateinformation associated with the endpoint or endpoint agent). Forexample, endpoint agents can be dynamically associated/tagged withlabels based on a current network, location/geography, operating system(OS), current state information, and/or other runtime/state informationassociated with an agent/device, which can be used to schedule tests,visualization, live sharing, searching, and/or filtering data collectedfrom the agents, in which labels are often associated with one or morenetwork/endpoint properties.

As an example, assume that ACME Corporation has configured a label forendpoint agents identified as being located in the San Francisco office(e.g., based on a network associated with the endpoint agent, in whichsuch is a dynamic label/tag based on the current network). In thisexample, scheduled tests can be directed to endpoint agents with aspecified label (e.g., a scheduled HTTP test targeting SalesForce.comfrom agents associated with the San Francisco office (based on thatlabel/tag), which will then be executed by endpoint agents if a givenendpoint is in the San Francisco office at the specified time for thescheduled test, but would not be executed by endpoint agents if theendpoint is not currently connected to the network in the San Franciscooffice, such as for remote users who are working at home and/or userswho are working from other offices of ACME Corporation).

Scheduled Tests for Endpoint Agents

In one embodiment, endpoint agents are configured to perform scheduledtests. In an example implementation, scheduled tests can be configuredby an IT/network admin and distributed to deployed agents using an agentcontroller, such as further described herein.

For example, endpoint agents can be configured to perform scheduledtests based on user triggered events, and agents perform extra tests andcapture data for test results. As another example, endpoint agents canbe configured to perform scheduled tests in order to perform periodicnetwork infrastructure tests. Example periodic network infrastructuretests can include path network tests, DNS tests, HTTP tests, and/orother network infrastructure tests. As yet another example, endpointagents can be configured to perform scheduled tests based on a label(s)in which agents check-in periodically and/or based on network change atwhich point the agent controller can determine labels for such agentsand which if any tests to be scheduled based on labels.

Alerting, Detecting Events, and Reporting Using Endpoint Agents

In one embodiment, alerts are generated using the disclosed techniquesfor enterprise network monitoring using endpoint agents. For example, awireless gateway latency or packet loss event can be detected using thedisclosed techniques as further described below with respect to exampleuse case scenario A. As another example, alerts can be configured to begenerated based on one or more trigger notifications when a set ofproperties match a predefined criteria. Also, trigger notificationcriteria can also be based on endpoint agent labels (e.g., a configuredalert can select to generate an alert if a signal quality drops below65% based on aggregated agents/endpoints in a San Francisco office forACME Corporation by selecting criteria for endpoint agents with a labelof San Francisco endpoints, and automatic deactivation of alert logic,such as if returns to above 65%).

In one embodiment, event detection is performed using the disclosedtechniques for enterprise network monitoring using endpoint agents. Forexample, a wireless gateway latency or packet loss event can be detectedusing the disclosed techniques as further described below with respectto example use case scenario A.

In one embodiment, reports are generated using the disclosed techniquesfor enterprise network monitoring using endpoint agents. For example,reports can provide aggregated data, such as over a period of time(e.g., 30 days, 90 days, and/or some other configurable period of time).In an example implementation, reports include summaries of agentperformance data that is aggregated, such as network performance overtime for capacity planning purposes or other network managementpurposes, and/or to monitor latency and network performance for accessto a cloud service, such as Microsoft Office 365 or another cloudservice, in which different report templates can be provided fordifferent IT/network users (e.g., network admin users, IT help deskusers, IT system admin users, and/or other types/categories of users).

Example Use Cases

FIG. 6 is an example network environment that shows example endpointagent deployments in accordance with some embodiments. Referring to FIG.6, the endpoint agents can be deployed in endpoints that access variousnetworks as shown by an endpoint agent deployed on an endpoint accessingan enterprise branch network as shown at 602 and as shown by anotherendpoint agent deployed on another endpoint accessing a homenetwork/public Hotspot network as shown at 604.

Example Use Case A

In this example use case A, ACME Corporation uses Salesforce.com andOffice365 to manage its customers and internal documents. Some employeeshave reported long response times and sporadic unavailability issueswith the external services. The IT/network administrator(s) are not ableto reproduce the problem on their machine(s), but the employees keepcomplaining about these performance problems. Each of Salesforce.com andMicrosoft (for Office365) reports that their respective services/systemsare in good health and are not having any performance problems.

By using the disclosed techniques, ACME Corporation can deploy endpointagents on the employees' machines (e.g., if not already deployed) andcollect an aggregate view of the user experiences. By monitoring theuser/endpoints as they use these services (e.g., Salesforce.com andOffice365) and capturing the browser performance data they are actuallyseeing from the respective endpoints, the IT/network administrators areable to pinpoint the problem(s). For example, the problem(s) can berelated to a wireless signal, a local gateway, a high CPU and/or memoryusage on the end-user devices/endpoints, a proxy issue, a routing issueto the external service (e.g., Salesforce.com and Office365), athird-party service that Salesforce.com or Office365 is dependent on(e.g., a Content Distribution Network (CDN) provider), a packet lossbetween the organization network and the SaaS, and/or various othernetwork and/or system related problems as similarly described above.

FIG. 7 is a graphical visualization that illustrates a high latencyproblem from an endpoint to a gateway via a wireless link that isidentified using the disclosed techniques in accordance with someembodiments. In this example, the endpoint agent testing indicates thatthere is a high latency from an endpoint 702 via a wireless link 704 toa gateway 706 as shown in FIG. 7. As similarly described in the aboveexample use case scenario, the endpoint agent collected data results canbe used by IT/network admin(s) for ACME Corporation toidentify/troubleshoot the performance problems (e.g., as due at least inpart to this packet loss problem) experienced by users for variousservices, such as Salesforce.com and/or Microsoft Office365.

FIG. 8 is a graphical visualization that illustrates a packet lossproblem from an endpoint to a gateway via a wireless link that isidentified using the disclosed techniques in accordance with someembodiments. In this example, the endpoint agent testing indicates thatthere is a high packet loss from an endpoint 802 via a wireless link 804to a gateway 806 as shown in FIG. 8. As similarly described in the aboveexample use case scenario, the endpoint agent collected data results canbe used by IT/network admin(s) for ACME Corporation toidentify/troubleshoot the performance problems (e.g., as due at least inpart to this packet loss problem) experienced by users for variousservices, such as Salesforce.com and/or Microsoft Office365.

FIG. 9 is a graphical visualization that illustrates incompletecomponents on a web page problem that is identified using the disclosedtechniques in accordance with some embodiments. In this example, theendpoint agent testing indicates that there are incomplete components ona web page problem as shown at 902 in FIG. 9. As similarly described inthe above example use case scenario, the endpoint agent collected dataresults can be used by IT/network admin(s) for ACME Corporation toidentify/troubleshoot the performance problems (e.g., as due at least inpart to this incomplete components on a web page problem) experienced byusers for various services, such as Salesforce.com and/or MicrosoftOffice365.

Example Use Case B

In this example use case B, ACME Corporation has branch offices indifferent geographical locations across the United States (e.g., inMiami, Florida and in the San Francisco Bay Area in California), and ishosting an internal system at the headquarters. The branch offices areconnected to the headquarters via VPN network connections. Further, ACMECorporation can have multiple employees working from home and workingremote while on the road/business travel who are also connecting via VPNnetwork connections. In this example, employees working from home arereporting that the internal system/service is unavailable at times andit is affecting their productivity. As each home office is unique anduses a variety of ISPs, it is difficult for the IT/networkadministrator(s) to pinpoint the problem(s).

By using the disclosed techniques, ACME Corporation can deploy endpointagents to the employees' machines (e.g., if not already deployed) forthe employees who are working from home and can collect an aggregateview of the user experiences for each of these remote users. As such,the IT/network administrator(s) can collect data reporting the systemand network performance associated with each of these endpoints andtheir respective connectivity to the internal system/service. Forexample, this collected performance data from the endpoint agents caninclude home wireless signal quality, VPN connection to theheadquarters, system load for each of the endpoints, Internet ServiceProvider (ISP) issues (e.g., packet loss, routing, high latency, and/orother network performance issues associated with the ISP's network), andthe availability of the internal system/service itself.

Additional Visualizations Generated Using Data Collected From EndpointAgents

FIG. 10 is a graphical visualization that illustrates a pathvisualization node grouping view in accordance with some embodiments. Inthis example, the path between an endpoint agent 1002 and a destinationsite 1006 is shown in a path visualization node grouping that can befurther drilled down into for a more detailed view of the path (e.g.,including the additional 15 intermediate hops) as shown at 1004 in FIG.10.

For example, the disclosed path visualization node grouping viewtechniques can be used to efficiently show results data with a largernumber of intermediate hops between monitored endpoints and destinationsites/services:

In one embodiment, the disclosed path visualization node grouping viewtechniques can be based on labels and/or configurable criteria (e.g.,based on network infrastructure that includes public network, privatenetwork, or endpoint properties such as location, and/or otherproperties).

FIG. 11 is a graphical visualization that illustrates a pathvisualization node pagination view in accordance with some embodiments.In this example, an endpoint agent group 1102 and an endpoint agentgroup 1104 are each shown in a path visualization node pagination viewthat can be further drilled down into for a more detailed view of eachof these respective groups of endpoint agents as shown in FIG. 11.

For example, the disclosed path visualization node pagination viewtechniques can be used to efficiently show results data from a largenumber of agents for customers with a larger number of endpoints beingmonitored:

In one embodiment, the disclosed path visualization node pagination viewtechniques can be based on labels and/or configurable criteria (e.g.,based on network infrastructure that includes public network, privatenetwork, or endpoint properties such as location, and/or otherproperties).

System Architecture of a Platform for Providing Enterprise NetworkMonitoring Using Endpoint Agents

An example of a system architecture of a platform for providingenterprise network monitoring using endpoint agents is shown in FIG. 12as described below.

FIG. 12 illustrates a functional block diagram of a platform forproviding enterprise network monitoring using endpoint agents inaccordance with some embodiments. In particular, FIG. 12 illustrates anenvironment in which a platform for cross-layer visibility andtroubleshooting of distributed applications 1200 includes endpointagents 1216-1220 (e.g., which can be configured to perform certaintests, have labels, and/or perform on demand, event/context triggered,and/or scheduled tests, such as similarly described herein) that collectdata based on configured tests, and the endpoint agents 1216-1220 sendthis data to a controller(s) 1214 (e.g., agent controller(s)).Controller 1214 stores the data in a storage tier 1212 (e.g., providingpermanent storage) that can be used by a web tier 1204 to generatevisualizations, alerts, and/or reports to users accessing the platform1200 using client/endpoint devices (e.g., computers, laptops,smartphones, and/or various other computing devices).

For example, a report can be output to a user to present the collectedand analyzed cross-layer application delivery information of adistributed application. Example reports can include variousvisualizations and/or diagnostic information as further described hereinwith respect to various embodiments. For example, the report canfacilitate troubleshooting application delivery associated with thedistributed application to determine whether performance problems arethe result of the cloud provider of the distributed application, thecustomer's own internal IT network, a user's client device, and/orintermediate network providers between the user's client device and thecloud provider. The report can also include recommendations to the userto resolve any such determined application delivery problems associatedwith the distributed application. In some cases, the report can also beprovided to a third party, such as the Software as a Service (SaaS)provider of the distributed application and/or a network provider, whichcan be provided as information to indicate the source of such determinedapplication delivery problems associated with the distributedapplication.

In the example shown, the user of client/endpoint device 1206(hereinafter referred to as “Bob”) is employed as an IT manager of adistributed application company (“SaaS Company”). The user of clientdevice 1208 (hereinafter referred to as “Alice”) is employed as an ITmanager of a national company (“ACME Company”). As will be described inmore detail below, Bob and Alice can each access the services ofplatform 1200 (e.g., platform for cross-layer visibility andtroubleshooting of distributed applications) via web tier 1204 over anetwork, such as the Internet. The techniques described herein can workwith a variety of client devices 1206-1208 including, for example,personal computers, tablet computers, smartphones, and/or othercomputing devices.

In some embodiments, platform 1200 generates various reports based onresults of the network performance tests to facilitate cross-layervisibility and troubleshooting of application delivery associated with adistributed application(s), as further described herein. In someembodiments, platform 1200 includes a data store, such as storage tier1212, for storing results of the network performance tests and/or thereports.

In some embodiments, a set of agent controllers 1214 is provided asshown to send various tests (e.g., such as the various tests describedherein with respect to various embodiments) to the endpoint agents forexecution by the endpoint agents. For example, endpoint agents can beexecuted on client/endpoint devices, which are controlled by agentcontrollers to perform one or more tests as further described herein, inwhich the test results can be collected for correlation and analysis, asfurther described herein with respect to various embodiments.

In some embodiments, the tests are configured through a web interface bya user (e.g., an IT/network admin for ACME Corporation). For example,typical parameters can include the frequency of various tests (e.g.,periodic, scheduled, on demand, and/or triggered based on events/contextinformation associated with the agents/endpoints or other contextinformation), the target of the tests, and the agents (e.g., based onlabels and/or other criteria/context information associated with theagents/endpoints or other context information) where the tests are to beperformed. The test parameters can be sent from the controller (e.g.,agent controllers 1214) to the endpoint agents after an endpoint agentchecks-in (e.g., using a pull mechanism). After an endpoint agentexecutes a test, the endpoint agent can export the test result(s) backto the controller. The controller can then provide the results back to adata store (e.g., storage tier 1212) for permanent storage (e.g., ortemporary storage). Besides periodic tests, a controller can also sendon-demand tests, scheduled, and/or triggered tests to an agent(s)through, for example, a Remote Procedure Call (RPC) for immediate oron-demand execution.

In various embodiments, platform 1200 is a scalable, elasticarchitecture and may comprise several distributed components, includingcomponents provided by one or more third parties. Further, when platform1200 is referred to as performing a task, such as storing data orprocessing data, it is to be understood that a sub-component or multiplesub-components of platform 1200 (whether individually or in cooperationwith third party components) may cooperate to perform that task.

In some embodiments, tests include various types of tests to facilitatecross-layer visibility and troubleshooting of application deliveryassociated with a distributed application(s), as further describedherein. Example network tests include data path measurement tests,routing path measurement tests, and end-to-end network metrics tests.Example DNS tests include per name server testing and Domain Name SystemSecurity Extensions (DNSSEC) bottom-up validation tests. Example HTTPtests include testing of steps of a Uniform Resource Locator (URL)fetch. Example page load tests include testing of a load of an entireweb page using a web browser (e.g., a typical web browser). Exampletransaction tests include performing a multi-step scripted transactionfrom a web browser (e.g., a typical web browser). These and variousother tests are described herein.

Example processes for monitoring enterprise networks (e.g., enterpriseIT networks) with endpoint agents using the disclosed techniques willnow be described below.

Processes for Monitoring Enterprise Networks With Endpoint Agents

FIG. 13 illustrates a flow diagram for monitoring enterprise networkswith endpoint agents in accordance with some embodiments. In someembodiments, process 1300 is performed using platform 1200 as shown inFIG. 13.

At 1302, deploying a plurality of endpoint agents to a plurality ofendpoint devices is performed. For example, a plurality of endpointagents can be distributed to a plurality of endpoint devices using theplatform described above. As similarly described above, an endpointagent can be implemented using the endpoint architecture described aboveto perform the disclosed techniques for monitoring enterprise networksusing endpoint agents.

In one embodiment, each of the plurality of endpoint agents performsnetwork monitoring tests and system monitoring tests. For example, theendpoint agents can perform network monitoring tests and systemmonitoring tests (e.g., including process monitoring) as similarlydescribed above.

In one embodiment, each of the plurality of endpoint agents iscontrolled by an agent controller. For example, the agent controller canfacilitate deployment, configuration, and data collection operationswith each of the plurality of endpoint agents.

In one embodiment, the tests that can be performed by the endpointagents on the endpoint devices are configurable. For example, the testscan be configured to be performed based on a schedule, periodically, ondemand, and/or based on a trigger as similarly described above. Asanother example, the test can be configured to be performed based onlabels associated with the endpoint agents as similarly described above.

At 1304, collecting test results from each of the plurality of endpointagents is performed, wherein the test results are based on testsexecuted on each of the plurality of endpoint devices for monitoringnetwork activity. For example, test results from each of the pluralityof endpoint agents can be collected using the platform described above.As similarly described above, endpoint agents can provide userexperience monitoring to facilitate diagnosis and troubleshooting ofnetwork performance and/or endpoint device system performance problems.

At 1306, generating a graphic visualization based on the test results isperformed. For example, a graphical visualization of an applicationdelivery state for one or more application delivery layers based on thetest results can be generated and output using the disclosed platform(e.g., generated by a web tier of the platform described above).

In one embodiment, the graphical visualization of the applicationdelivery state facilitates troubleshooting of network performanceproblems associated with one or more of the plurality of endpointdevices. Example graphical visualizations that can be generated includethe GUI visualizations similarly described above (e.g., including nodegrouping, node pagination, and network infrastructure visualizations assimilarly described above).

FIG. 14 illustrates another flow diagram for monitoring enterprisenetworks with endpoint agents in accordance with some embodiments. Insome embodiments, process 1400 is performed using platform 1200 as shownin FIG. 14.

At 1402, deploying a plurality of endpoint agents to a plurality ofendpoint devices is performed. For example, a plurality of endpointagents can be distributed to a plurality of endpoint devices using theplatform described above. As similarly described above, an endpointagent can be implemented using the endpoint architecture described aboveto perform the disclosed techniques for monitoring enterprise networksusing endpoint agents.

At 1404, collecting test results from each of the plurality of endpointagents is performed, wherein the test results are based on testsexecuted on each of the plurality of endpoint devices for monitoringnetwork activity. For example, test results from each of the pluralityof endpoint agents can be collected using the platform described above.As similarly described above, endpoint agents can provide userexperience monitoring to facilitate diagnosis and troubleshooting ofnetwork performance and/or endpoint device system performance problems.

At 1406, generating an alert or a report based on the test results isperformed. For example, an alert based on the test results can begenerated and output (e.g., a GUI alert, an email/text/phone call alert,and/or other alert notification can be provided based on a configurationfor alert notifications and/or based on the alert). As another example,a report can be generated that includes aggregated test data results,such as over a period of time (e.g., 30 days, 90 days, and/or some otherconfigurable period of time). As yet another example, the alert orreport can include an event that is determined based on the test results(e.g., events can be based on results from one endpoint agent and/orbased on results from two or more endpoint agents (collectiveintelligence based on endpoint agent data collection, which can alsoinclude test results from other agents executed on networkinfrastructure elements/devices, destination sites, and/or cloudagents)). Example events that can be detected using the disclosedtechniques can include detection of traffic outages, networkinfrastructure outages, application outages, and Internet Intelligence.

FIG. 15 illustrates another flow diagram for monitoring enterprisenetworks with endpoint agents in accordance with some embodiments. Insome embodiments, process 1500 is performed using platform 1200 as shownin FIG. 15.

At 1502, deploying a plurality of endpoint agents to a plurality ofendpoint devices is performed. For example, a plurality of endpointagents can be distributed to a plurality of endpoint devices using theplatform described above. As similarly described above, an endpointagent can be implemented using the endpoint architecture described aboveto perform the disclosed techniques for monitoring enterprise networksusing endpoint agents.

At 1504, collecting test results from each of the plurality of endpointagents is performed, wherein the test results are based on testsexecuted on each of the plurality of endpoint devices for monitoringnetwork activity. For example, test results from each of the pluralityof endpoint agents can be collected using the platform described above.As similarly described above, endpoint agents can provide userexperience monitoring to facilitate diagnosis and troubleshooting ofnetwork performance and/or endpoint device system performance problems.

At 1506, routing the collected test results to authorized subscribers isperformed. For example, the routing of collected test results toauthorized subscribers can be performed as similarly described above(e.g., as similarly described above in the section entitled, DataRouting Workflow for Data Collected from Endpoint Agents).

At 1508, routing the collected test results to another entity for livesharing is performed. For example, the routing of collected test resultsto another entity for live sharing can be performed as similarlydescribed above (e.g., as similarly described above in the sectionentitled, Data Routing Workflow for Live Sharing for Data Collected fromEndpoint Agents). For example, such live sharing techniques for sharingthe collected data can facilitate troubleshooting information to beshared by ACME Corporation with their Software as a Service (SaaS)provider (e.g., Microsoft for Office365 or another service/provider).

Although the foregoing embodiments have been described in some detailfor purposes of clarity of understanding, the invention is not limitedto the details provided. There are many alternative ways of implementingthe invention. The disclosed embodiments are illustrative and notrestrictive.

What is claimed is:
 1. A system, comprising: a processor configured to:deploy a plurality of endpoint agents to a plurality of endpointdevices; collect test results from each of the plurality of endpointagents for a plurality of tests, wherein the test results are based ontests executed on each of the plurality of endpoint devices formonitoring network activity, wherein periodic network access and systemdata are used to collect periodic active network measurements to networkinfrastructure and to capture a system resource snapshot of each of theplurality of endpoint devices based on a data collection profile (DCP),wherein the DCP includes an associated enterprise network specified byan IP address range, and wherein the DCP is used to trigger performingthe periodic active network measurements if a public IP address assignedto an end-user device executing one of the plurality of endpoint agentsis within the IP address range; and correlate the test results collectedfrom the plurality of endpoint agents to determine is an applicationdelivery state for one or more application delivery layers based on thecorrelated test results; and a memory coupled to the processor andconfigured to provide the processor with instructions.